Support for a new insert stream (istream) operation in complex event processing (cep)

ABSTRACT

One embodiment of the invention includes a method of processing streaming data. The method includes initializing a stream of data and setting a time interval to apply to the stream of data. The time interval comprises a window for analyzing the data within the stream of data. The method further includes identifying one or more columns within the stream of data, designating one or more of the columns to be monitored for differences within the data over the time interval, and monitoring the designated columns over the time interval. Further, the method includes determining that at least one value from at least one of the designated columns has changed and in response to at least one value changing, outputting the changed values from the designated columns.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 13/102,665, filed on May 6, 2011, now U.S. Patent Application Publication No. US-2012-0284420A1, now allowed, the entire contents of which is hereby incorporated by reference in its entirety for all purposes.

BACKGROUND OF THE INVENTION

Typically, Complex Event Processing (CEP) is an approach that aggregates information from distributed message-based systems, databases, and applications in real-time and dynamically applies rules to discern patterns and trends that may otherwise go unnoticed. This may give companies the ability to identify and even anticipate exceptions and opportunities represented by seemingly unrelated events across highly complex, distributed, and heterogeneous environments. CEP is also used to correlate, aggregate, enrich, and detect patterns in high speed streaming data in near real time. Furthermore, CEP supports streaming of unbounded data through the notion of a stream. A stream is an unbounded collection of data items and in contrast, a selection is a finite collection of data items—much like in a traditional database system. Presently, there exist various operators that convert from a stream to a relation and vice versa.

Furthermore, ISTREAM (or insert stream) is one of the operators that converts a relation to a stream. ISTREAM calculates a multiset difference of a relation as a function of time R(t) and R(t−1) taking into account all columns of a relation. As such, because all columns are taken into account, the output data may include information which is unnecessary or unwanted. Hence, these and other shortcomings in the art are remedied by the present invention.

BRIEF SUMMARY OF THE INVENTION

One embodiment of the invention includes a method of processing streaming data. The method includes initializing a stream of data and setting a time interval to apply to the stream of data. The time interval comprises a window for analyzing the data within the stream of data. The method further includes identifying one or more columns within the stream of data, designating one or more of the columns to be monitored for differences within the data over the time interval, and monitoring the designated columns over the time interval. Further, the method includes determining that at least one value from at least one of the designated columns has changed and in response to at least one value changing, outputting the changed values from the designated columns.

In yet another embodiment, a system for processing streaming data, is described. The system includes a storage memory having sets of instructions stored thereon and a processor coupled with the storage memory. The sets of instructions when executed by the processor, cause the processor to: initialize a stream of data, and set a time interval to apply to the stream of data. The time interval comprises a window for analyzing the data within the stream of data. The instructions further cause the processor to identify one or more columns within the stream of data, designate one or more of the columns to be monitored for differences within the data over the time interval, monitor the designated columns over the time interval, determine that at least one value from at least one of the designated columns has changed, and in response to at least one value changing, output the changed values from the designated columns.

A further embodiment of the invention includes a computer-readable medium for processing streaming data. The computer-readable medium includes instructions for initializing a stream of data and setting a time interval to apply to the stream of data. The time interval comprises a window for analyzing the data within the stream of data. The computer-readable medium further includes instructions for identifying one or more columns within the stream of data, designating one or more of the columns to be monitored for differences within the data over the time interval, and monitoring the designated columns over the time interval. Further, the computer-readable medium includes instructions for determining that at least one value from at least one of the designated columns has changed and in response to at least one value changing, outputting the changed values from the designated columns.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is described in conjunction with the appended figures:

FIG. 1 is a flow diagram illustrating processing of streaming data according to embodiments of the present invention;

FIG. 2 is a flow diagram illustrating processing of streaming data according to further embodiments of the present invention;

FIG. 3 is a block diagram illustrating a system for processing streaming data according to embodiments of the present invention;

FIG. 4 is a diagram illustrating a table related to the processing of streaming data according to embodiments of the present invention;

FIG. 5 is a block diagram of an exemplary computer system capable of being used in at least some portion of the apparatuses or systems of the present invention, or implementing at least some portion of the methods of the present invention; and

FIG. 6 is a block diagram illustrating an exemplary networking system for implementing embodiments of the present invention.

In the appended figures, similar components and/or features may have the same numerical reference label. Further, various components of the same type may be distinguished by following the reference label by a letter that distinguishes among the similar components and/or features. If only the first numerical reference label is used in the specification, the description is applicable to any one of the similar components and/or features having the same first numerical reference label irrespective of the letter suffix.

DETAILED DESCRIPTION OF THE INVENTION

The ensuing description provides exemplary embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing one or more exemplary embodiments, it being understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the invention as set forth in the appended claims.

Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other elements in the invention may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

Also, it is noted that individual embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process may be terminated when its operations are completed, but could have additional steps not discussed or included in a figure. Furthermore, not all operations in any particularly described process may occur in all embodiments. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

The term “machine-readable medium” includes, but is not limited to portable or fixed storage devices, optical storage devices, wireless channels, and various other mediums capable of storing, containing or carrying instruction(s) and/or data. A code segment or machine-executable instructions may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

Furthermore, embodiments of the invention may be implemented, at least in part, either manually or automatically. Manual or automatic implementations may be executed, or at least assisted, through the use of machines, hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine readable medium. A processor(s) may perform the necessary tasks.

Aspects of the present invention relate to the concept that quite often some column values (or derived values) of tuples change between two consecutive instances of time (i.e., t and t+1), whereas other column values do not change. There may be situations where an application is interested in changes to only a subset of columns; however, ISTREAM currently considers all columns, and reports tuples even when the values (or derived values) of columns of interest do not change. As such, changes in data which are not of interest to the application may be outputted.

To this end, aspects of the present invention provide ISTREAM that not only consider a subset of columns, but also include new semantics, such as NOT IN semantics. Queries can be quite complex, and since ISTREAM actually works on a relation materialized from the execution of a query, aspects of the present invention can also apply the aforementioned logic to SELECT list expressions and apply it to a subset thereof. Applying an ISTREAM operator on a subset of columns with NOT IN semantic provides a convenient syntactic notation to express the output in a succinct manner.

Now, considering the following query:

CREATE QUERY q0 AS ISTREAM ( SELECT * FROM S [RANGE 1 NANOSECONDS] ) DIFFERENCE USING (c1, c2) This actually can lead to non-deterministic output (i.e., which tuple (and hence column values for c3) to pick and which one to leave out). Another alternative is to allow only columns or expressions based on columns specified in USING clause:

CREATE QUERY q0 AS ISTREAM ( SELECT c1, c2, func(c1,c2) FROM tkdata1_S [RANGE 1 NANOSECONDS] ) DIFFERENCE USING (c1, c2) or CREATE QUERY tkdata1_q1 AS ISTREAM ( SELECT func(c1,c2) FROM tkdata1_S [RANGE 1 NANOSECONDS] ) DIFFERENCE USING (c1, c2)

However, these expressions are too restrictive to be of any use. Hence, aspects of the present invention may utilize NOT IN (this is same as MINUS semantics except that the MINUS works strictly on a set, whereas the present invention allows for multiset/bag), which precisely results in the desired behavior without any of the aforementioned restrictions. Accordingly, with the given semantics, the output may be as follows for the following query and given input stream:

Query: CREATE QUERY q0 AS ISTREAM (SELECT c1 FROM S [RANGE 1 NANOSECONDS]) DIFFERENCE USING (c1) [or (1)] Input: Relation (t) Output 1000: 5 {5} +5 1000: 6 {5, 6} +6 1000: 7 {5, 6, 7} +7 1001: 5 {5, 6, 7, 5} — 1001: 6 {5, 6, 7, 5, 6} — 1001: 7 {5, 6, 7, 5, 6, 7} — 1001: 8 {5, 6, 7, 5, 6, 7, 8} +8 1002: 5 {5, 6, 7, 5, 6, 7, 8, 5} — 1003: −5, −5, −5 1003: −6, −6 1003: −7, −7, 8 { } 1004: 5 {5} +5

In one embodiment, the expressions in the using clause can be specified by using number positions (1 . . . N), which refer to positions of select expressions or using attributes, like c1,c2, which refer to aliases in select list. If select list contains a complex expression, then it may be appropriately aliased as the USING clause does not allow expressions to be specified.

A further aspect of the present invention includes the following algorithm. For example, let the timestamp of stream elements which belong to T (i.e., where T is a discrete ordered time domain). The following describes one implementation and algorithm in abstract terms.

public istream ( ) {  /* constructor initializes various data structures used by the operator */  public istream( );  /* relation synopsis: captures the relation as of time t−1, i.e. R(t−1). */  private synopsis relsyn;  /* synopsis to capture simultaneous tuples, i.e tuples with the same  timestamp */  private synopsis nowsyn;  /* list of tuple qualified for output */  private List nowList;  /* setup an index on relsyn above on expression of interest for faster  lookup */  private index relidx;  /* setup an index on relsyn above on expression of interest for faster  lookup */  private index nowidx;  /* retrieve the next tuple from the queue.  * if its timestamp is greater than that of last one, i.e. time has advanced:   * - drain the now list (nowList) and output all tuples therein.   * - update relsyn by inserting tuples in nowsyn.   *   * Depending on the type of the tuple call handlePlus or handleMinus   method   */ public void getTuple( );  /* if tuple exists in relsyn, discard it, i.e. it exists in R(t−1).   * - insert it into nowsyn (to update relsyn later)   * else   * - insert it into nowList, nowSyn  */  public void handlePlus(Tuple t);   /* ISTREAM by definition does not output negative tuples.   * - insert into nowSyn, if a corresponding +ve tuple is found   decrement refcount.   * if refcount is zero, delete it from nowSyn.   * - if a +ve tuples exists in nowList, decrement refcount, delete if  * refcount is 0.   */  public void handleMinus(Tuple t); }

Some possible advantage of the present invention may be that users are allowed to declaratively and succinctly specify complex logic involving multiset not in semantics. Such functionality may be completely and seamlessly integrated into, for example, a declarative framework within a server without requiring users to write a lot of code and/or resort to expensive operations, such as RSTREAM. The present invention may also be memory optimized. Most users have events with a large number of fields, but only a subset of them are of interest. In such situations the ISTREAM multiset except semantics (previous behavior) may not only be expensive but also undesirable. Furthermore, it may not be possible to combine other current contextual query language (CQL) constructs to come up with semantics (multiset NOT IN), which are supported by the present invention. Furthermore, this new variant of the ISTREAM operator provides users the additional flexibility in designing applications when interested only in a subset of SELECT expressions, with deterministic semantics, significant performance improvement by eliminating events of non-interest, etc.

CQL terminology:

Streams: A stream is the principal source of data that Oracle CQL queries act on. Stream S is a bag multi-set of elements (s,T) where s is in the schema of S and T is in the time domain. Stream elements are tuple-timestamp pairs, which can be represented as a sequence of timestamped tuple insertions. In other words, a stream is a sequence of timestamped tuples. There could be more than one tuple with the same timestamp. The tuples of an input stream are required to arrive at the system in the order of increasing timestamps. A stream has an associated schema consisting of a set of named attributes, and all tuples of the stream conform to the schema.

Time: Timestamps are an integral part of an Oracle CEP stream. However, timestamps do not necessarily equate to clock time. For example, time may be defined in the application domain where it is represented by a sequence number. Timestamps need only guarantee that updates arrive at the system in the order of increasing timestamp values. Note that the timestamp ordering requirement is specific to one stream or a relation. For example, tuples of different streams could be arbitrarily interleaved. Oracle CEP can observe application time or system time.

For system timestamped relations or streams, time is dependent upon the arrival of data on the relation or stream data source. Oracle CEP generates a heartbeat on a system timestamped relation or stream if there is no activity (no data arriving on the stream or relation's source) for more than a specified time: for example, 1 minute. Either the relation or stream is populated by its specified source or Oracle CEP generates a heartbeat every minute. This way, the relation or stream can never be more than 1 minute behind. For system timestamped streams and relations, the system assigns time in such a way that no two events will have the same value of time. However, for application timestamped streams and relations, events could have the same value of time.

Tuple Kind: CEP tuple kind indicators are: + for inserted tuple, − for deleted tuple. It should be noted that these terms are merely provided for clarity and other definitions and interpretations of these terms may be used as is known by one of ordinary skill in the art.

Turning now to FIG. 1, which illustrates a method 100 of processing streaming data, according to embodiments of the present invention. At process block 105, a data stream may be initialized. In one embodiment, the stream may be associated with a particular application or set of applications. Further, the stream may be a CEP stream or the like. Furthermore, the streaming data may include tables which in turn include columns and/or fields. The streaming data may also be stored in one or more databases.

At process block 110, one or more of the columns within the stream of data may be identified as columns of “interest”. In one embodiment, the columns of interest may be columns for which the application (or the user) is interested in changes that occur to the data within the columns. Furthermore, a time interval for processing the data stream may be associated with the stream of data (process block 115). For example, the time interval may be 1 nanosecond, 10 nanoseconds, 1 millisecond, 10 milliseconds, etc., and the time interval may provide a window for analyzing the data within the stream of data. In one embodiment, the window may provide a relation for creating the table within the stream of data. The table may be populated with data from the stream within the window (i.e., within the time interval).

At process block 120, one or more of the columns within the table may be selected for monitoring differences within the data included in the columns. For example, if a table includes ten columns A-J and columns A and C are selected to be monitored, then the query will only generate output when changes to either column A or C occur. As such, the output will contain information with is considered relevant to the user and/or application.

Accordingly, the selected columns are monitored for changes over the time interval (process block 125). If changes occur (decision block 130), then the differences for the selected column(s) are outputted for the current time interval (process block 135). Alternatively, if no changes occur in the data within the selected column(s), then the selected column(s) is continued to be monitored for subsequent time intervals for the duration of the data stream (process block 140).

One example of an implementation of method 100 may be with regard to traffic data. A stream of traffic data for a given car driving on the highway may include a number of variables (e.g., speed, location, time, segment, etc.). Each of these variables may be translated into columns within a table, and the data within the columns may change continuously. However, only certain changes in the data may be of use to an application. In one embodiment, the application is a toll application which charges tolls based on segments of a road traveled. A such, it may only be valuable to the application to know when the car has traveled from one segment of the highway to another.

Thus, changes in speed, for example, may not be worth outputting. Additionally, it is likely that changes in speed occur within nearly every time interval. Likewise, time and location may not be worth outputting changes, but changes in segment may be worth outputting. As such, as the car moves on the highway, the location (or coordinates) are monitored to determine if the current segment has changed. Thus, if the location changes from a location within one segment to a location within another segment, such a change will be outputted. Accordingly, in this example, the toll application can calculate an additional toll amount based on the segment change, while ignoring the changes in speed, time, and location.

Referring now to FIG. 2, which illustrates a method 200 of processing streaming data, according to embodiments of the present invention. At process block 205, relational data may be converted into streaming data by applying the ISTREAM operation. Then, based on the streaming data as applied to a bounding constraint, segments within the data stream may be determined (process block 210).

At process block 215, at least one column within the data stream may be identified as including data in which an application is interested in viewing changes. At process block 220, the identified column is selected over the determined segment. Changes to the data within the identified column may then be monitored (process block 225). At process block 230, the multiset ISTREAM operation of the selected column over the determined segment as applied to the monitored column is executed. As such, the resulting data from the mutiset ISTREAM operation only includes change data to the columns of interest and such changes are then outputted (process block 235).

FIG. 3 is a block diagram illustrating a system 300 for processing streaming data according to embodiments of the present invention. In one embodiment, system 300 includes a streaming data source 305. The streaming data source 305 may be in communication with an application server 310 which includes a CEP processor 315. In one embodiment, CEP processor 315 may be configured to implement methods 100 and 200 from FIGS. 1 and 2. Furthermore, application server 310 may be in communication with a database 320 and an output device 325. In one embodiment, database 320 may store the data from the streaming data source 305, and output device 325 may be used to display the resulting changes to the monitored data. Furthermore, database 320 may be remotely located from the application server 310 or co-located with the application server 310.

Turning now to FIG. 4, a table related to the processing of streaming data is illustrated, according to embodiments of the present invention. The following query may be used to generate the result table of FIG. 4:

CREATE QUERY q0 AS ISTREAM (SELECT c1 FROM S [RANGE 1 NANOSECONDS]) DIFFERENCE USING (c1) [or (1)].

As such, at timestamp 1000, the output would be ‘5’ based on the change which occurred within the interval. At timestamp 1000, the output would be ‘6’ based on the change which occurred within the interval. Similarly, at timestamp 1000, the output would be ‘7’ based on the changes within the interval. Interval 1001 would not have any output due to the fact that ‘5’, ‘6’, and ‘7’ were already included within the data set. At timestamp 1001, ‘8’ would be the output due to the change.

Intervals 1003 and 1004 would not include any output due to the fact that ‘5’ is not a change and the remainder of the intervals include a removal. Subsequently, at timestamp 1004, since ‘5’ was removed from the data set, the addition of ‘5’ is not outputted because it is not a change to the data set.

In one embodiment, nothing is output until there is progression of time. This may be due to the fact that another −ve tuple can come at the same timestamp that has not been seen, thus canceling out the +ve which is already seen. Thus, the output should be at one timestamp later, but still propagating the timestamp at which it was seen. (It may be there in the form of a hidden column of an element time, but some applications may choose to ignore it.)

FIG. 5 is a block diagram illustrating an exemplary computer system 500 in which embodiments of the present invention may be implemented. The computer system 500 is shown comprising hardware elements that may be electrically coupled via a bus 590. The hardware elements may include one or more central processing units 510, one or more input devices 520 (e.g., a mouse, a keyboard, etc.), and one or more output devices 530 (e.g., a display device, a printer, etc.). The computer system 500 may also include one or more storage device(s) 540. By way of example, storage device(s) 540 may be disk drives, optical storage devices, a solid-state storage device such as a random access memory (“RAM”) and/or a read-only memory (“ROM”), which can be programmable, flash-updateable and/or the like.

The computer system 500 may additionally include a computer-readable storage media reader 550, a communications system 560 (e.g., a modem, a network card (wireless or wired), an infra-red communication device, Bluetooth™ device, cellular communication device, etc.), and working memory 580, which may include RAM and ROM devices as described above. In some embodiments, the computer system 500 may also include a processing acceleration unit 570, which can include a digital signal processor, a special-purpose processor and/or the like.

The computer-readable storage media reader 550 can further be connected to a computer-readable storage medium, together (and, optionally, in combination with storage device(s) 540) comprehensively representing remote, local, fixed, and/or removable storage devices plus storage media for temporarily and/or more permanently containing computer-readable information. The communications system 560 may permit data to be exchanged with a network, system, computer and/or other component described above.

The computer system 500 may also comprise software elements, shown as being currently located within a working memory 580, including an operating system 588 and/or other code 584. It should be appreciated that alternate embodiments of a computer system 500 may have numerous variations from that described above. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including portable software, such as applets), or both. Furthermore, connection to other computing devices such as network input/output and data acquisition devices may also occur.

Software of computer system 500 may include code 584 for implementing any or all of the functions of the various elements of the architecture as described herein. For example, software, stored on and/or executed by a computer system such as system 500, can provide the functionality and/or other components of the invention such as those discussed above. Methods implementable by software on some of these components have been discussed above in more detail.

Merely by way of example, FIG. 6 illustrates a schematic diagram of a system 600 that can be used in accordance with one set of embodiments. The system 600 can include one or more user computers 605. The user computers 605 can be general purpose personal computers (including, merely by way of example, personal computers and/or laptop computers running any appropriate flavor of Microsoft Corp.'s Windows™ and/or Apple Corp.'s Macintosh™ operating systems) and/or workstation computers running any of a variety of commercially available UNIX™ or UNIX-like operating systems. These user computers 605 can also have any of a variety of applications, including one or more applications configured to perform methods of the invention, as well as one or more office applications, database client and/or server applications, and web browser applications. Alternatively, the user computers 605 can be any other electronic device, such as a thin-client computer, Internet-enabled mobile telephone, and/or personal digital assistant (PDA), capable of communicating via a network (e.g., the network 610 described below) and/or displaying and navigating web pages or other types of electronic documents. Although the exemplary system 600 is shown with three user computers 605, any number of user computers can be supported.

Certain embodiments of the invention operate in a networked environment, which can include a network 610. The network 610 can be any type of network familiar to those skilled in the art that can support data communications using any of a variety of commercially available protocols, including without limitation TCP/IP, SNA, IPX, AppleTalk, and the like. Merely by way of example, the network 610 can be a local area network (“LAN”), including without limitation an Ethernet network, a Token-Ring network and/or the like; a wide-area network (WAN); a virtual network, including without limitation a virtual private network (“VPN”); the Internet; an intranet; an extranet; a public switched telephone network (“PSTN”); an infrared network; a wireless network, including without limitation a network operating under any of the IEEE 802.11 suite of protocols, the Bluetooth™ protocol known in the art, and/or any other wireless protocol; and/or any combination of these and/or other networks.

Embodiments of the invention can include one or more server computers 615. Each of the server computers 615 may be configured with an operating system, including without limitation any of those discussed above, as well as any commercially (or freely) available server operating systems. Each of the servers 615 may also be running one or more applications, which can be configured to provide services to one or more user computers 605 and/or other server computers 615.

Merely by way of example, one of the servers 615 may be a web server, which can be used, merely by way of example, to process requests for web pages or other electronic documents from user computers 605. The web server can also run a variety of server applications, including HTTP servers, FTP servers, CGI servers, database servers, Java™ servers, and the like. In some embodiments of the invention, the web server may be configured to serve web pages that can be operated within a web browser on one or more of the user computers 605 to perform methods of the invention.

The server computers 615, in some embodiments, might include one or more application servers, which can include one or more applications accessible by a client running on one or more of the user computers 605 and/or other server computers 615. Merely by way of example, the server computers 615 can be one or more general purpose computers capable of executing programs or scripts in response to the user computers 605 and/or other server computers 615, including without limitation web applications (which might, in some cases, be configured to perform methods of the invention). Merely by way of example, a web application can be implemented as one or more scripts or programs written in any suitable programming language, such as Java™, C, C#™ or C++, and/or any scripting language, such as Perl, Python, or TCL, as well as combinations of any programming/scripting languages. The application server(s) can also include database servers, including without limitation those commercially available from Oracle™, Microsoft™, Sybase™, IBM™ and the like, which can process requests from clients (including, depending on the configuration, database clients, API clients, web browsers, etc.) running on a user computer 605 and/or another server computer 615. In some embodiments, an application server can create web pages dynamically for displaying the information in accordance with embodiments of the invention. Data provided by an application server may be formatted as web pages (comprising HTML, Javascript, etc., for example) and/or may be forwarded to a user computer 605 via a web server (as described above, for example). Similarly, a web server might receive web page requests and/or input data from a user computer 605 and/or forward the web page requests and/or input data to an application server. In some cases a web server may be integrated with an application server.

In accordance with further embodiments, one or more server computers 615 can function as a file server and/or can include one or more of the files (e.g., application code, data files, etc.) necessary to implement methods of the invention incorporated by an application running on a user computer 605 and/or another server computer 615. Alternatively, as those skilled in the art will appreciate, a file server can include all necessary files, allowing such an application to be invoked remotely by a user computer 605 and/or server computer 615. It should be noted that the functions described with respect to various servers herein (e.g., application server, database server, web server, file server, etc.) can be performed by a single server and/or a plurality of specialized servers, depending on implementation-specific needs and parameters.

In certain embodiments, the system can include one or more database(s) 620. The location of the database(s) 620 is discretionary. Merely by way of example, a database 620 a might reside on a storage medium local to (and/or resident in) a server computer 615 a (and/or a user computer 605). Alternatively, a database 620 b can be remote from any or all of the computers 605, 615, so long as the database can be in communication (e.g., via the network 610) with one or more of these. In a particular set of embodiments, a database 620 can reside in a storage-area network (“SAN”) familiar to those skilled in the art. (Likewise, any necessary files for performing the functions attributed to the computers 605, 615 can be stored locally on the respective computer and/or remotely, as appropriate.) In one set of embodiments, the database 620 can be a relational database, such as an Oracle™ database, that is adapted to store, update, and retrieve data in response to SQL-formatted commands. The database might be controlled and/or maintained by a database server, as described above, for example.

The invention has now been described in detail for the purposes of clarity and understanding. However, it will be appreciated that certain changes and modifications may be practiced within the scope of the appended claims. 

What is claimed is:
 1. A method of processing streaming data, the method comprising: initializing, by a computer processor, a stream of data for a continuous query logic (CQL) operation; identifying, by the computer processor, one or more columns within the stream of data; designating, in the CQL operation, one or more of the columns to be monitored for differences in data within the columns over a time interval by applying a SELECT list expressions to a subset of the stream of data, wherein the one or more designated columns are columns of interest; applying a relation-to-stream operator to the one or more designated columns; monitoring, by the computer processor, the data within the designated columns over the time interval; determining, by the computer processor, that at least one value from at least one of the one or more designated columns has changed based on applying the relation-to stream operator to the one or more designated columns; and in response to at least one value changing, outputting the changed values from the designated columns that occur within the time interval using the CQL operation.
 2. The method of claim 1, further comprising setting the time interval of the CQL operation to apply to the stream of data, wherein the time interval comprises a window for analyzing the data within the designated columns.
 3. The method of claim 1, further comprising, determining, by the computer processor, that no values from at least one of the designated columns have changed over the time interval.
 4. The method of claim 3, in response to determining that no values from least one of the designated columns have changed, not outputting by the computer processor, the values from at least one of the designated columns.
 5. The method of claim 1, further comprising continuing to receive the data associated with the designated columns for a next time interval of the CQL operation.
 6. The method of claim 5, wherein the data associated with the designated columns for the next time interval is received substantially in real-time.
 7. The method of claim 1, wherein the one or more columns are included in one or more tables constructed from the stream of data over the time interval.
 8. The method of claim 1, wherein the stream of data comprises a complex event processing (CEP) data stream.
 9. A computer-readable storage medium having stored thereon instructions for causing at least one computer system to detect policy violations for an organization, the instructions comprising: instructions that cause the at least one computer system to initialize a stream of data for a continuous query logic (CQL) operation; instructions that cause the at least one computer system to identify one or more columns within the stream of data; instructions that cause the at least one computer system to designate in the CQL operation, one or more of the columns to be monitored for differences in data within the columns over a time interval by applying a SELECT list expressions to a subset of the stream of data, wherein the one or more designated columns are columns of interest; instructions that cause the at least one computer system to apply a relation-to-stream operator to the one or more designated columns; instructions that cause the at least one computer system to monitor the data within the designated columns over the time interval; instructions that cause the at least one computer system to determine that at least one value from at least one of the one or more designated columns has changed based on applying the relation-to-stream operator; and in response to at least one value changing, instructions that cause the at least one computer system to output the changed values from the designated columns that occur within the time interval using the CQL operation.
 10. The computer-readable storage medium of claim 9, wherein the instructions further comprise instructions to set the time interval of the CQL operation to apply to the stream of data, wherein the time interval comprises a window for analyzing the data within the designated columns.
 11. The computer-readable storage medium of claim 9, wherein the instructions further comprise instructions to determine that no values from at least one of the designated columns have changed over the time interval.
 12. The computer-readable storage medium of claim 11, wherein the instructions further comprise instructions to not output the values from at least one of the designated columns in response to the instructions to determine that no values from at least one of the designated columns have changed over the time interval.
 13. The computer-readable storage medium of claim 9, wherein the instructions further comprise instructions to receive the data associated with the designated columns for a next time interval of the CQL operation.
 14. The computer-readable storage medium of claim 13, wherein the data associated with the designated columns for the next time interval is received substantially in real-time.
 15. The computer-readable storage medium of claim 9, wherein the stream of data comprises a complex event processing (CEP) data stream.
 16. A system for processing streaming data, comprising: one or more computing devices comprising at least one processor configured to execute computer executable instructions to collectively at least: initialize a stream of data for a continuous query logic (CQL) operation; identify one or more columns within the stream of data; designate in the CQL operation, a subset of columns to be monitored for differences in data within the one or more columns over a time interval by applying a SELECT list expressions to a subset of the stream of data, wherein the one or more designated columns are columns of interest; apply a relation-to-stream operator to the one or more designated columns; monitor the data within the designated columns over the time interval; determine that at least one value from at least one of the one or more designated columns has changed based on applying the relation-to stream operator to the one or more designated columns; in response to at least one value changing, outputting the changed values from the designated columns that occur within the time interval using the CQL operation; determine that no values from at least one of the designated columns have changed over the time interval; and in response to determining that no values from least one of the designated columns have changed, not outputting the values from at least one of the designated columns.
 17. The system of claim 16, wherein the one or more computing devices are collectively operable to set the time interval of the CQL operation to apply to the stream of data, wherein the time interval comprises a window for analyzing the data within the designated columns.
 18. The system of claim 16, wherein the one or more computing devices are further collectively operable to receive the data associated with the designated columns for the next time interval substantially in real-time.
 19. The system of claim 16, wherein the one or more columns are included in one or more tables constructed from the stream of data over the time interval.
 20. The system of claim 16, wherein the stream of data comprises a complex event processing (CEP) data stream. 